re: How do we improve security in the npm ecosystem? VIEW POST


The possibility of malicious npm packages was pointed out almost a year ago.

The root of the problem cannot be fixed in imperative paradigms. By definition, if you can tell the effects of any piece of code through static analysis, it's declarative (no side-effects), not imperative. And if you can't identify the effects automatically, you're going to have to read and understand the code all by yourself, which greatly reduces the time saved by using someone else's code.

There's a reason functional programmers keep raving about (safe) composition.

Admittedly, you could have an automated system that analyzes a subset of the code/syntax automatically, rather like the safe language extension in Haskell, which might work for a lot of cases.

code of conduct - report abuse